How to store function app's function keys in a key vault

Published Aug 12 2021 01:55 AM 2,925 Views
Microsoft

 

When running Azure function apps, we need function keys to access the functions. By default, the function keys of a function app are stored in a storage account, which is specified in the appsetting ‘AzureWebjobsStorage’.  You can view the keys in portal as shown below.

zhuyue_0-1628755144731.png

Fig 1. Host keys of function apps in portal

 

zhuyue_1-1628755144743.png

Fig 2. Function keys of a function in portal

 

If you go to the storage account specified in appsetting ‘AzureWebjobsStorage’, you can find the function keys in container ‘azure-webjobs-secrets’. You can see the below container where keys are stored.

 

zhuyue_2-1628755144754.png

Fig 3. The container where function keys are stored in the storage account

 

In the container, you can see the file ‘/{functionAppName}/host.json’, where function keys are stored.

zhuyue_3-1628755144768.png

Fig 4. The host.json file where function keys are written

 

Instead of a storage account, we can also choose a key vault to store function keys.  Below are the detailed steps.

 

Solution:

1. At first, add below two appsettings to the function app.

Appsetting Name

Value

AzureWebJobsSecretStorageType

keyvault

AzureWebJobsSecretStorageKeyVaultName

<key vault's name>

 

2. Enable managed identity in ‘Identity’ blade of the function app in portal.

zhuyue_4-1628755144778.png

Fig 5. Enable managed identity of a function app.

 

3. Go to ‘Access Policies’ blade of the key vault in portal, add an access policy for the function app using the app’s managed identity. You need to give the function app at least the secret management permissions.

zhuyue_5-1628755144794.png

Fig 6. The access policies blade of the key vault.

 

zhuyue_6-1628755144801.png

Fig 7. Select your function app in ‘Select principal’, and give it the secret management permissions.

 

4. You had better restart the function app to let the settings make sense immediately.  

 

5. Now when you add or delete host keys or function keys in portal, you will see the function keys in ‘secrets’ of the key vault.

zhuyue_7-1628755144809.png

Fig 8. Host/function keys stored in key vault.

 

Hope this article will be useful to you! Thanks for reading!

 

 

 

 

 

 

2 Comments
Senior Member

“host-functionKey-<nameOfTheKey>“ - it doesn’t include id/name of the Function App? Does it mean one Key Vault per FunctionApp?

 

Still awesome feature function app and post. I wonder… Can I rollover function key in the Key Vault and it will populate to Function App? Restart required? Have to check this soon :).

 

BTW - fix fig 7 caption: permission for “secret” not “certificate”.

Microsoft

@Tomasz Olędzki , sorry for the delay! Yes, your concerns are right. As I tested, if two function apps use the same key vault,  then in portal we can see they are using the same function keys. And also by manually modifying the secrets values or adding values in the key vault, you can also see the updates in the function app's function keys.

%3CLINGO-SUB%20id%3D%22lingo-sub-2642867%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20store%20function%20app's%20function%20keys%20in%20a%20key%20vault%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2642867%22%20slang%3D%22en-US%22%3E%3CP%3E%E2%80%9Chost-functionKey-%3CNAMEOFTHEKEY%3E%E2%80%9C%20-%20it%20doesn%E2%80%99t%20include%20id%2Fname%20of%20the%20Function%20App%3F%20Does%20it%20mean%20one%20Key%20Vault%20per%20FunctionApp%3F%3C%2FNAMEOFTHEKEY%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20awesome%20feature%20function%20app%20and%20post.%20I%20wonder%E2%80%A6%20Can%20I%20rollover%20function%20key%20in%20the%20Key%20Vault%20and%20it%20will%20populate%20to%20Function%20App%3F%20Restart%20required%3F%20Have%20to%20check%20this%20soon%20%3A).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBTW%20-%20fix%20fig%207%20caption%3A%20permission%20for%20%E2%80%9Csecret%E2%80%9D%20not%20%E2%80%9Ccertificate%E2%80%9D.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2639181%22%20slang%3D%22en-US%22%3EHow%20to%20store%20function%20app's%20function%20keys%20in%20a%20key%20vault%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2639181%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20running%20Azure%20function%20apps%2C%20we%20need%20function%20keys%20to%20access%20the%20functions.%20By%20default%2C%20the%20function%20keys%20of%20a%20function%20app%20are%20stored%20in%20a%20storage%20account%2C%20which%20is%20specified%20in%20the%20appsetting%20%E2%80%98AzureWebjobsStorage%E2%80%99.%20%26nbsp%3BYou%20can%20view%20the%20keys%20in%20portal%20as%20shown%20below.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_0-1628755144731.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302632i5FC7A581245551A7%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_0-1628755144731.png%22%20alt%3D%22zhuyue_0-1628755144731.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%201.%20Host%20keys%20of%20function%20apps%20in%20portal%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_1-1628755144743.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302633i7EEBA282D1775178%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_1-1628755144743.png%22%20alt%3D%22zhuyue_1-1628755144743.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%202.%20Function%20keys%20of%20a%20function%20in%20portal%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20go%20to%20the%20storage%20account%20specified%20in%20appsetting%20%E2%80%98AzureWebjobsStorage%E2%80%99%2C%20you%20can%20find%20the%20function%20keys%20in%20container%20%E2%80%98azure-webjobs-secrets%E2%80%99.%20You%20can%20see%20the%20below%20container%20where%20keys%20are%20stored.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_2-1628755144754.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302634i35411DFCF9EB8BF6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_2-1628755144754.png%22%20alt%3D%22zhuyue_2-1628755144754.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%203.%20The%20container%20where%20function%20keys%20are%20stored%20in%20the%20storage%20account%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20container%2C%20you%20can%20see%20the%20file%20%E2%80%98%2F%7BfunctionAppName%7D%2Fhost.json%E2%80%99%2C%20where%20function%20keys%20are%20stored.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_3-1628755144768.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302636iAD7D66B166CA0B27%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_3-1628755144768.png%22%20alt%3D%22zhuyue_3-1628755144768.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%204.%20The%20host.json%20file%20where%20function%20keys%20are%20written%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EInstead%20of%20a%20storage%20account%2C%20we%20can%20also%20choose%20a%20key%20vault%20to%20store%20function%20keys.%20%26nbsp%3BBelow%20are%20the%20detailed%20steps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3ESolution%3A%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E1.%20%3CSTRONG%3EAt%20first%2C%20add%20below%20two%20appsettings%20to%20the%20function%20app.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CTABLE%20width%3D%22465%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22320%22%3E%3CP%3EAppsetting%20Name%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3EValue%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22320%22%3E%3CP%3EAzureWebJobsSecretStorageType%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3Ekeyvault%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22320%22%3E%3CP%3EAzureWebJobsSecretStorageKeyVaultName%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22144%22%3E%3CP%3E%3CKEY%20vault%3D%22%22%3E%3C%2FKEY%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20%3CSTRONG%3EEnable%20managed%20identity%20in%20%E2%80%98Identity%E2%80%99%20blade%20of%20the%20function%20app%20in%20portal.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_4-1628755144778.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302635iF9C0D5CEF5D737D3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_4-1628755144778.png%22%20alt%3D%22zhuyue_4-1628755144778.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%205.%20Enable%20managed%20identity%20of%20a%20function%20app.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E3.%20%3CSTRONG%3EGo%20to%20%E2%80%98Access%20Policies%E2%80%99%20blade%20of%20the%20key%20vault%20in%20portal%2C%20add%20an%20access%20policy%20for%20the%20function%20app%20using%20the%20app%E2%80%99s%20managed%20identity.%20You%20need%20to%20give%20the%20function%20app%20at%20least%20the%20secret%20management%20permissions.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_5-1628755144794.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302637i9B0D51A0D3ED8391%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_5-1628755144794.png%22%20alt%3D%22zhuyue_5-1628755144794.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%206.%20The%20access%20policies%20blade%20of%20the%20key%20vault.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_6-1628755144801.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302638i4F79761751270A86%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_6-1628755144801.png%22%20alt%3D%22zhuyue_6-1628755144801.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%207.%20Select%20your%20function%20app%20in%20%E2%80%98Select%20principal%E2%80%99%2C%20and%20give%20it%20the%20secret%20management%20permissions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E4.%20%3CSTRONG%3EYou%20had%20better%20restart%20the%20function%20app%20to%20let%20the%20settings%20make%20sense%20immediately.%20%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E5.%20%3CSTRONG%3ENow%20when%20you%20add%20or%20delete%20host%20keys%20or%20function%20keys%20in%20portal%2C%20you%20will%20see%20the%20function%20keys%20in%20%E2%80%98secrets%E2%80%99%20of%20the%20key%20vault.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22zhuyue_7-1628755144809.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F302639iF155FF26AA6B306F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22zhuyue_7-1628755144809.png%22%20alt%3D%22zhuyue_7-1628755144809.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3EFig%208.%20Host%2Ffunction%20keys%20stored%20in%20key%20vault.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20article%20will%20be%20useful%20to%20you!%20Thanks%20for%20reading!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2639181%22%20slang%3D%22en-US%22%3E%3CP%3ENow%20when%20you%20create%20a%20new%20function%20app%20in%20Azure%2C%20by%20default%20the%20function%20app's%20function%20keys%20are%20stored%20in%20the%20storage%20account%2C%20specified%20in%20the%20appsetting%20'AzureWebjobsStorage'.%20However%2C%20we%20can%20also%20store%20the%20keys%20in%20a%20key%20vault%20on%20Azure%20instead%20of%20a%20storage%20account.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2639181%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Functions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Aug 17 2021 08:57 PM
Updated by: